ServerA
- eth0 internet interface
- wg0 vpn interface 10.66.66.1
ServerB
- wg0 vpn interface 10.66.66.2
How can I forward traffic from eth0 to wg0 10.66.66.2 using iptables? I want to forward the following TCP and UDP ports to ServerB
TCP: 2302, 27015-27030, 27036-27037UDP: 2302, 4380, 27000-27031, 27036
I tried already, to forward everything for texting, but to no avail.
sudo iptables -A FORWARD --in-interface eth0 -j ACCEPT
sudo iptables --table nat -A POSTROUTING --out-interface wg0 -j MASQUERADEEDIT:
results of iptables -L do I need to mind a ambiguity between legacy and "normal" iptables
[root@vmd40065 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
# Warning: iptables-legacy tables present, use iptables-legacy to see them
[root@vmd40065 ~]# iptables-legacy -L
bash: iptables-legacy: command not found...1 Answer
IP Forwarding
How can I forward traffic from eth0 to wg0 10.66.66.2 using iptables?
You can't do that with iptables (alone). With iptables you can do filtering and NAT, but iptables doesn't do packet forwarding.
To get your incoming packets forwarded, you need to enable IP forwarding in the kernel. Using the command sysctl net.ipv4.ip_forward you can check if IP forwarding is already enabled.
Quote from Linux kernel documentation:
0 - disabled (default)
not 0 - enabled
Forward Packets between interfaces.You can enable this by executing sysctl net.ipv4.ip_forward=1, but this change is not permanent, it gets reset on reboot. To make this permanent, you'd need a configuration entry (net.ipv4.ip_forward = 1) in one of the sysctl configuration files (eg. /etc/sysctl.conf). See man sysctl.conf for a complete list of configuration files.
If you want to limit what is being forwarded, you can add more parameters to your FORWARD rule, for example:
--protocol tcpor--protocol udp--destination-port 27000:27031
See man iptables and iptables-extensions for more parameters if needed.
Note that adding ACCEPT rules to the FORWARD chain has no effect, if the chain policy is ACCEPT anyway and you don't have any DROP rules.
NAT
Your iptables SNAT rule in the POSTROUTING chain looks correct.
If the traffic coming from eth0 doesn't already have its destination address set to 10.66.66.2, then you also need a DNAT rule in the PREROUTING chain. This is to modify the destination address of the packets, so the routing can select the outgoing interface accordingly. This should be something like this:
iptables --table nat --append PREROUTING --in-interface eth0
--protocol udp --destination-port 27000:27031
--jump DNAT --to-destination 10.66.66.2:27000-27031Debugging
For debugging purpose it can be helpful to:
- Observe the traffic with
tcpdumpon both servers. - Add
--verboseto iptables when listing rules. This way you can see how many packets (if any) got affected by which rule.
